Lightspeed and Wiz CEO Assaf Rapaport back A with $37 million for AI attackers

The money is real and so is the clock. Lightspeed Venture Partners, Cyberstarts, and angels including Wiz CEO Assaf Rapaport backed New York-based autonomous offensive security startup A with $37 million after the company emerged from stealth, Fortune learned exclusively.

The timing could not be louder. Anthropic's Mythos, unveiled April 8 in a restricted release, autonomously surfaced previously unknown security flaws across every major operating system and browser. That kind of capability hands even unsophisticated attackers a preview of what is coming, and A is betting that defenders need to stop running offense like it is a quarterly ritual.

A CEO and cofounder Yossi Torati frames the industry problem as an inevitable meltdown, not a vague risk. Torati spent six years at Israeli incident response firm Sygnia, investigating and recovering from major hacks and responding to breaches across roughly 40 countries. His cofounders, Omer Gull and Yuval Itzchakov, also come from cyber-heavy backgrounds from Check Point, Hunters, and IDF Unit 8200. In other words, they are not building “AI security” as a tagline. They are building it from the posture of people who have lived through incident response, where timelines and uncertainty are the enemy.

Torati says the founding moment was watching attackers use AI and concluding that much of the cybersecurity playbook was about to become obsolete. “Instead of flagging risk hotspots or handing companies a severity score,” A runs what it describes as the full cyber offensive lifecycle autonomously. The company acts like an AI-powered attacker to find weaknesses, then helps fix them before a real attacker can. The goal is not just detection. It is compression. Traditional security programs can spend months learning what an attacker could do, only to discover those findings long after the window has moved.

The case A cites is blunt. In an early proof-of-concept, it turned up 1.2 million sensitive customer records, including Social Security numbers, that had been sitting exposed for seven years. The point is not that any one tool missed everything. The point is that existing tooling and the customer’s own team did not detect the exposure, which is precisely the gap A is trying to eliminate.

That gap is where Lightspeed partner Guru Chahal says the board-level fear lives. He tells Fortune that “the gap between the time where an issue is discovered to the time you get hit with it is minutes,” and that CISOs are terrified of this right now. Chahal argues the old model, paying for a manual simulated cyberattack once every six to 12 months, is effectively dead. In those six months, he warns, “someone's going to walk away with all your crown jewels,” making the simulation feel more like a report than a defense.

This is also why A’s market category matters to decision-makers beyond the obvious “security budget” line item. A is building toward what it calls continuous threat exposure management. Fortune reports the market was estimated at $2.7 billion in 2025 and projected to reach $7 billion by 2033. That is a fast ramp for a category that used to be treated as periodic. It implies not only demand for new products, but a change in operating cadence, how often teams test controls, and how quickly they remediate.

Competition is showing up from AI-native angles too. The competitive field includes XBOW, which raised $120 million at a $1 billion-plus valuation in March. The presence of well-funded players in AI-forward security also matters for board dynamics. When the market starts rewarding “continuous” and “autonomous,” older approaches risk looking like legacy compliance theater rather than a living defense.

Chahal’s stance is equally telling: he is not hedging. He says he “genuinely believe[s] some of the largest companies are going to get built in this category.” The funding, Fortune adds, will go toward scaling go-to-market and building out the product roadmap. Current A customers are all enterprises, spanning finance, healthcare, critical infrastructure, and technology, though Torati declined to give a number.

Regulators and risk frameworks are part of the backdrop, even if the article does not name a specific rule. The second-order implication is that faster attacker progress, powered by frontier AI models like Mythos, compresses the time regulators, auditors, and boards need to justify that controls are working continuously. If the “time-to-hit” becomes minutes, documentation cycles and remediation queues face a new reality: the business can no longer afford to treat security testing as something you do before an audit season.

For CISOs, security leaders, and boards, this is the stake. A is trying to turn cybersecurity from a periodic assessment into an always-on contest with attackers that learn quickly. With the $37 million bet now in play, the question peers should be asking is not whether continuous threat exposure management sounds good. It is whether the current operating model, especially the six-to-12-month simulated approach Chahal calls dead, can survive an environment where frontier models can autonomously surface thousands of zero-days in the span of a rollout.